validatedpatterns
diff --git a/‎README.md‎
Lines changed: 20 additions & 2 deletions b/‎README.md‎
Lines changed: 20 additions & 2 deletions
diff --git a/‎playbooks/vault.yml‎
Lines changed: 2 additions & 2 deletions b/‎playbooks/vault.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎roles/vault_utils/README.md‎
Lines changed: 49 additions & 1 deletion b/‎roles/vault_utils/README.md‎
Lines changed: 49 additions & 1 deletion
diff --git a/‎roles/vault_utils/defaults/main.yml‎
Lines changed: 21 additions & 2 deletions b/‎roles/vault_utils/defaults/main.yml‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎roles/vault_utils/tasks/vault_ss_csi_apply_one_hub_sscsi_role.yaml‎
Lines changed: 17 additions & 0 deletions b/‎roles/vault_utils/tasks/vault_ss_csi_apply_one_hub_sscsi_role.yaml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎roles/vault_utils/tasks/vault_ss_csi_apply_one_spoke_sscsi_role.yaml‎
Lines changed: 23 additions & 0 deletions b/‎roles/vault_utils/tasks/vault_ss_csi_apply_one_spoke_sscsi_role.yaml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎roles/vault_utils/tasks/vault_ss_csi_compute_role_slug.yaml‎
Lines changed: 50 additions & 0 deletions b/‎roles/vault_utils/tasks/vault_ss_csi_compute_role_slug.yaml‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎roles/vault_utils/tasks/vault_ss_csi_load_clustergroup_values.yaml‎
Lines changed: 132 additions & 0 deletions b/‎roles/vault_utils/tasks/vault_ss_csi_load_clustergroup_values.yaml‎
Lines changed: 132 additions & 0 deletions
@@ -14,14 +14,32 @@ loading local secrets files into VP secrets stores.
 `vault_utils` can read `ssCsiWorkloadAuth` entries from clustergroup values and
 create Vault Kubernetes auth roles for hub and spoke workloads.
 
+By default it loads **merged** clustergroup YAML from an in-cluster `ConfigMap`
+named `values-<main_clustergroupname>` in `openshift-gitops` (override with
+`vault_ss_csi_clustergroup_configmap_namespace` and
+`vault_ss_csi_clustergroup_configmap_name`). It looks for a data key such as
+`values.yaml` unless you set `vault_ss_csi_clustergroup_configmap_key`. The
+document must include a top-level `clusterGroup` key. If the `ConfigMap` is
+missing or unusable, it falls back to
+`pattern_dir/values-<main_clustergroupname>.yaml` when
+`vault_ss_csi_fallback_local_clustergroup_file` is true.
+
 At the application level (`clusterGroup.applications.<app>`), the relevant
 inputs are:
 
 - `ssCsiWorkloadAuth` (list)
 - `ssCsiWorkloadAuth[].serviceAccount` (required)
 - `ssCsiWorkloadAuth[].namespace` (optional)
-- `ssCsiWorkloadAuth[].cluster` (optional)
-- `ssCsiWorkloadAuth[].roleSlug` / `role_slug` (optional)
+- `ssCsiWorkloadAuth[].cluster` (optional): matching hint for **which** spoke a
+  row applies to (managed cluster group name, `ManagedCluster` name, spoke FQDN
+  / `vault_path`, or `clusterGroup` label). For Vault writes, spokes are
+  normalized to **`vault_path`** (full DNS), same as External Secrets.
+- `ssCsiWorkloadAuth[].roleSlug` / `role_slug` (optional): suffix only; Vault
+  role is **`<mount>-sscsi-<slug>`** where **`<mount>`** is hub **`hub`** (or
+  configured hub path) or the spoke **`vault_path`**. When using the
+  **vp-sscsi-spc** chart, `spec.parameters.roleName` uses the same **mount**
+  as `vaultKubernetesMountPath` (typically **`global.clusterDomain`** on
+  spokes), not the short `cluster` value.
 - application `namespace` (optional default for entry namespace)
 
 CA material management for SS CSI is not handled in this collection anymore.
 
@@ -4,8 +4,8 @@
   connection: local
   gather_facts: false
   roles:
-   # Resolves pattern_dir (PATTERN_DIR / PWD) and loads main.clusterGroupName as main_clustergroup
-   # so vault_ss_csi_workload_auth can read values-<clustergroup>.yaml for ssCsiWorkloadAuth.
+   # Resolves pattern_dir (PATTERN_DIR / PWD) and loads main.clusterGroupName as main_clustergroup.
+   # vault_ss_csi_workload_auth prefers merged clustergroup YAML from an in-cluster ConfigMap, then file fallback.
    - pattern_settings
    - find_vp_secrets
    - cluster_pre_check
 
@@ -60,15 +60,46 @@ This role can create Vault Kubernetes auth roles from
 `clusterGroup.applications.*.ssCsiWorkloadAuth` and
 `clusterGroup.managedClusterGroups.*.applications.*.ssCsiWorkloadAuth`.
 
+Clustergroup values are loaded for SS CSI in this order (see
+`tasks/vault_ss_csi_load_clustergroup_values.yaml`):
+
+1. In-cluster `ConfigMap` (default: namespace `openshift-gitops`, name
+   `values-<main_clustergroupname>`, YAML under a `values.yaml`-style data key),
+   when `vault_ss_csi_clustergroup_values_from_configmap` is true. The parsed
+   document must define `clusterGroup`.
+2. Local file `vault_ss_csi_cluster_values_file`, or
+   `pattern_dir/values-<main_clustergroupname>.yaml`, when
+   `vault_ss_csi_fallback_local_clustergroup_file` is true.
+
+Override defaults with `vault_ss_csi_clustergroup_configmap_namespace`,
+`vault_ss_csi_clustergroup_configmap_name`, `vault_ss_csi_clustergroup_configmap_key`,
+and `vault_ss_csi_clustergroup_configmap_key_candidates` as needed for your pattern.
+
+Vault Kubernetes auth **role names** use the form **auth mount + `-sscsi-` + slug**. They must satisfy
+Vault path rules (non-empty slug, no trailing `-`, bounded length on some versions).
+This role derives `slug` from optional `roleSlug`, or from `vault_ss_csi_role_slug_mode`
+(`hash` or `stable_slug`), and shortens to a SHA-1 prefix when
+`vault_ss_csi_kubernetes_auth_role_name_max_length` would be exceeded (set to `0`
+for no limit). If an older Vault returns **400 invalid role name**, use `hash` mode,
+set a short explicit `roleSlug`, or lower `vault_ss_csi_kubernetes_auth_role_name_max_length`.
+
 For each `ssCsiWorkloadAuth` entry:
 
 - required: `serviceAccount`
 - optional: `namespace`, `cluster`, `roleSlug` (or `role_slug`)
 
+For spokes, `cluster` in values can be the **managed cluster group** name (default), the ACM **`ManagedCluster` name**, the spoke **FQDN** (`vault_path`, same as Vault/ESO), or **`metadata.labels.clusterGroup`**. During `vault_spokes_init`, rows are **normalized** so spoke Vault roles always use **`vault_path`** (full cluster DNS name) as the cluster id, matching ESO and the Kubernetes auth mount path on the spoke.
+
+**Charts (vp-sscsi-spc):** `SecretProviderClass` workload auth should use the same
+idea: with `roleSlug` set, the chart emits **`roleName: <vaultKubernetesMountPath>-sscsi-<roleSlug>`**
+where **`vaultKubernetesMountPath`** is the hub mount or **`global.clusterDomain`**
+on the spoke. You do not need to duplicate the spoke FQDN in `ssCsiWorkloadAuth.cluster`
+for the CSI role name; keep `cluster` as a matcher for Ansible (short name or FQDN).
+
 Application-level `namespace` is used as the default when an entry does not set
 `namespace`.
 
-Example:
+Example (hub):
 
 ```yaml
 clusterGroup:
@@ -78,6 +109,23 @@ clusterGroup:
       ssCsiWorkloadAuth:
         - serviceAccount: my-app-sa
           cluster: hub
+          roleSlug: my-app-my-app-sa-my-app
+```
+
+Example (spoke row in hub values under `managedClusterGroups` — `cluster` may be the group name; Vault and vp-sscsi-spc still use the spoke FQDN as mount and role prefix):
+
+```yaml
+clusterGroup:
+  managedClusterGroups:
+    exampleRegion:
+      name: group-one
+      applications:
+        my-app:
+          namespace: my-app-namespace
+          ssCsiWorkloadAuth:
+            - serviceAccount: my-app-sa
+              cluster: group-one
+              roleSlug: my-app-my-app-sa-my-app
 ```
 
 SS CSI CA material management is external to this role. Use a separate chart or
 
@@ -72,15 +72,34 @@ vault_csi_role_ttl: "15m"
 #   clusterGroup.applications.<app>
 # or under clusterGroup.managedClusterGroups.<group>.applications.<app>
 # (see vault_ss_csi_* tasks). Example element:
-#   { serviceAccount: my-sa, namespace: my-ns, cluster: <spoke>, optional roleSlug: stable suffix }
+#   { serviceAccount: my-sa, namespace: my-ns, cluster: <match hint>, optional roleSlug: suffix }
+# cluster: which cluster the row targets (MCG name, ManagedCluster name, vault_path/FQDN, or clusterGroup label);
+#   spoke rows are normalized to vault_path before Vault role writes (same id as ESO). Vault role name is always
+#   <mount>-sscsi-<slug> where mount is hub or vault_path (vp-sscsi-spc uses the same mount for roleName).
 # namespace defaults to the application namespace; cluster defaults to hub for hub apps, or to
 # managedClusterGroup.name (else the group YAML key) for applications declared under managedClusterGroups.
 vault_ss_csi_from_applications: true
-# Override path to values-<clustergroup>.yaml; empty uses pattern_dir/values-{{ main_clustergroupname }}.yaml
+# Prefer merged clustergroup values from an in-cluster ConfigMap (reflects GitOps overrides).
+vault_ss_csi_clustergroup_values_from_configmap: true
+# Namespace containing the clustergroup values ConfigMap (OpenShift GitOps default).
+vault_ss_csi_clustergroup_configmap_namespace: openshift-gitops
+# If empty, the ConfigMap name defaults to values-<main_clustergroupname> (same stem as values-<cg>.yaml).
+vault_ss_csi_clustergroup_configmap_name: ""
+# If empty, try keys in vault_ss_csi_clustergroup_configmap_key_candidates in order.
+vault_ss_csi_clustergroup_configmap_key: ""
+vault_ss_csi_clustergroup_configmap_key_candidates:
+  - values.yaml
+  - helm-values.yaml
+  - values.yml
+# When the ConfigMap is missing or does not contain a parseable clusterGroup document, slurp local file.
+vault_ss_csi_fallback_local_clustergroup_file: true
+# Override path to values-<clustergroup>.yaml; empty uses pattern_dir/values-{{ main_clustergroupname }}.yaml (fallback only)
 vault_ss_csi_cluster_values_file: ""
 vault_ss_csi_role_ttl: "15m"
 # How Vault names Kubernetes auth roles: auth/<mount>/role/<mount>-sscsi-<slug>
 # - hash: legacy SHA1 of namespace|serviceAccount|app (hub) or vault_path|... (spoke)
 # - stable_slug: hub-sscsi-<ns>-<sa>-<app> (sanitized); spokes prefix sanitized vault_path
 # Per-entry override wins: ssCsiWorkloadAuth[].roleSlug (suffix only; still prefixed with <mount>-sscsi-)
 vault_ss_csi_role_slug_mode: hash
+# Full role name is <auth_mount>-sscsi-<slug>. Cap length for older Vault (HTTP 400 invalid role name); 0 = no limit.
+vault_ss_csi_kubernetes_auth_role_name_max_length: 256
@@ -0,0 +1,17 @@
+---
+- name: Compute Vault role slug for hub SS CSI identity
+  ansible.builtin.include_tasks: vault_ss_csi_compute_role_slug.yaml
+  vars:
+    ss_csi_mount_prefix: "{{ vault_hub }}"
+    ss_csi_hash_input: "{{ (item.namespace | default('', true)) ~ '|' ~ (item.serviceAccount | default('', true)) ~ '|' ~ (item.app | default('', true)) }}"
+
+- name: Configure hub Vault Kubernetes auth role for SS CSI workload identity
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      vault write auth/"{{ vault_hub }}"/role/"{{ vault_hub }}-sscsi-{{ _role_slug }}"
+        bound_service_account_names="{{ item.serviceAccount }}"
+        bound_service_account_namespaces="{{ item.namespace }}"
+        policies="{{ _merged_hub_policies | join(',') }}"
+        ttl="{{ vault_ss_csi_role_ttl }}"
@@ -0,0 +1,23 @@
+---
+- name: Compute Vault role slug for spoke SS CSI identity
+  ansible.builtin.include_tasks: vault_ss_csi_compute_role_slug.yaml
+  vars:
+    ss_csi_mount_prefix: "{{ vault_spoke_cluster_loop.value.vault_path }}"
+    ss_csi_hash_input: >-
+      {{
+        (vault_spoke_cluster_loop.value.vault_path | string)
+        ~ '|' ~ (item.namespace | default('', true))
+        ~ '|' ~ (item.serviceAccount | default('', true))
+        ~ '|' ~ (item.app | default('', true))
+      }}
+
+- name: Configure Vault SS CSI role on spoke {{ vault_spoke_cluster_loop.key }}
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      vault write auth/{{ vault_spoke_cluster_loop.value.vault_path }}/role/{{ vault_spoke_cluster_loop.value.vault_path }}-sscsi-{{ _role_slug }}
+        bound_service_account_names="{{ item.serviceAccount }}"
+        bound_service_account_namespaces="{{ item.namespace }}"
+        policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ vault_spoke_cluster_loop.value.vault_path }}-secret"
+        ttl="{{ vault_spoke_ttl }}"
@@ -0,0 +1,50 @@
+---
+# Sets _role_slug for Vault Kubernetes auth role name: <ss_csi_mount_prefix>-sscsi-<slug>
+# Requires: item (ssCsiWorkloadAuth row), ss_csi_mount_prefix, ss_csi_hash_input (string for SHA1).
+
+- name: Derive SS CSI Kubernetes auth role slug
+  ansible.builtin.set_fact:
+    _role_slug: "{{ _ss_csi_final_slug }}"
+  vars:
+    _raw_slug: "{{ item.roleSlug | default(item.role_slug | default('', true), true) | string | trim }}"
+    _sanitized_custom: >-
+      {{ _raw_slug | lower | regex_replace('[^a-z0-9-]+', '-') | regex_replace('-+', '-') | trim('-') }}
+    _stable_ns: "{{ item.namespace | default('', true) | lower | regex_replace('[^a-z0-9-]+', '-') | regex_replace('-+', '-') | trim('-') }}"
+    _stable_sa: "{{ item.serviceAccount | default('', true) | lower | regex_replace('[^a-z0-9-]+', '-') | regex_replace('-+', '-') | trim('-') }}"
+    _stable_app: "{{ item.app | default('', true) | lower | regex_replace('[^a-z0-9-]+', '-') | regex_replace('-+', '-') | trim('-') }}"
+    _stable_joined: "{{ [_stable_ns, _stable_sa, _stable_app] | reject('equalto', '') | list | join('-') | regex_replace('-+', '-') | trim('-') }}"
+    _hash_slug: "{{ ss_csi_hash_input | hash('sha1') }}"
+    _max_len: "{{ vault_ss_csi_kubernetes_auth_role_name_max_length | default(256) | int }}"
+    _prefix: "{{ ss_csi_mount_prefix | string }}"
+    _mode: "{{ vault_ss_csi_role_slug_mode | default('hash') | lower }}"
+    _candidate: >-
+      {{
+        (_sanitized_custom | length > 0)
+        | ternary(
+            _sanitized_custom,
+            (((_mode == 'stable_slug') and (_stable_joined | length > 0))
+             | ternary(_stable_joined, _hash_slug))
+          )
+      }}
+    _prefix_len: "{{ _prefix | length }}"
+    _candidate_len: "{{ _candidate | length }}"
+    _needs_shorten: >-
+      {{
+        (_max_len | int > 0)
+        and ((_prefix_len | int) + 7 + (_candidate_len | int) > (_max_len | int))
+      }}
+    _budget: >-
+      {{
+        ([(_max_len | int) - (_prefix_len | int) - 7, 8] | max)
+        if (_max_len | int > 0) else 40
+      }}
+    _hash_take: "{{ [_budget | int, 40] | min }}"
+    _short_hash: "{{ _hash_slug[0 : (_hash_take | int)] }}"
+    _ss_csi_final_slug: >-
+      {{
+        (_needs_shorten | bool)
+        | ternary(
+            _short_hash,
+            (((_candidate | length) > 0) | ternary(_candidate, _hash_slug))
+          )
+      }}
@@ -0,0 +1,132 @@
+---
+# Load merged clustergroup values for SS CSI: prefer in-cluster ConfigMap, then local file.
+# Sets _vault_ss_csi_values_root (mapping with .clusterGroup) and _vault_ss_csi_values_source when successful.
+# Requires: main_clustergroupname; pattern_dir for file fallback.
+
+- name: Initialize SS CSI clustergroup values load facts
+  ansible.builtin.set_fact:
+    _vault_ss_csi_values_source: ""
+    _ss_csi_cm_data: {}
+    _ss_csi_cm_yaml_key: ""
+
+- name: Compute SS CSI clustergroup ConfigMap object name
+  ansible.builtin.set_fact:
+    _ss_csi_cg_cm_name: >-
+      {{
+        (vault_ss_csi_clustergroup_configmap_name | default('', true) | string | trim | length > 0)
+        | ternary(
+            vault_ss_csi_clustergroup_configmap_name | string | trim,
+            'values-' ~ (main_clustergroupname | string | trim)
+          )
+      }}
+  when:
+    - main_clustergroupname is defined
+    - main_clustergroupname | string | trim | length > 0
+
+- name: Read clustergroup values ConfigMap from cluster (SS CSI)
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: ConfigMap
+    name: "{{ _ss_csi_cg_cm_name }}"
+    namespace: "{{ vault_ss_csi_clustergroup_configmap_namespace }}"
+  register: _vault_ss_csi_cg_cm
+  failed_when: false
+  when:
+    - vault_ss_csi_clustergroup_values_from_configmap | default(true) | bool
+    - _ss_csi_cg_cm_name is defined
+
+- name: Set ConfigMap .data for SS CSI clustergroup parse
+  ansible.builtin.set_fact:
+    _ss_csi_cm_data: "{{ _vault_ss_csi_cg_cm.resources[0].data | default({}) }}"
+  when:
+    - vault_ss_csi_clustergroup_values_from_configmap | default(true) | bool
+    - _vault_ss_csi_cg_cm is defined
+    - not (_vault_ss_csi_cg_cm.failed | default(false))
+    - (_vault_ss_csi_cg_cm.resources | default([]) | length) > 0
+
+- name: Build ordered ConfigMap data key candidates for clustergroup YAML
+  ansible.builtin.set_fact:
+    _ss_csi_cm_key_candidates: >-
+      {{
+        (
+          ([vault_ss_csi_clustergroup_configmap_key | default('', true) | string | trim]
+           | reject('equalto', '') | list)
+          + (vault_ss_csi_clustergroup_configmap_key_candidates | default([]))
+        ) | unique | list
+      }}
+  when:
+    - _ss_csi_cm_data is defined
+    - (_ss_csi_cm_data | default({}) | length) > 0
+
+- name: Pick first ConfigMap data key present in candidates (SS CSI)
+  ansible.builtin.set_fact:
+    _ss_csi_cm_yaml_key: "{{ item }}"
+  loop: "{{ _ss_csi_cm_key_candidates | default([]) }}"
+  when:
+    - (_ss_csi_cm_yaml_key | default('') | string | length) == 0
+    - item in (_ss_csi_cm_data | default({}))
+
+- name: Parse YAML from ConfigMap data (SS CSI)
+  block:
+    - name: Decode YAML string from ConfigMap key
+      ansible.builtin.set_fact:
+        _vault_ss_csi_cm_values_candidate: "{{ _ss_csi_cm_data[_ss_csi_cm_yaml_key] | trim | from_yaml }}"
+  rescue:
+    - name: Note ConfigMap YAML parse failure (SS CSI)
+      ansible.builtin.set_fact:
+        _vault_ss_csi_cm_values_candidate: {}
+
+- name: Accept clustergroup values from ConfigMap when clusterGroup is present (SS CSI)
+  ansible.builtin.set_fact:
+    _vault_ss_csi_values_root: "{{ _vault_ss_csi_cm_values_candidate }}"
+    _vault_ss_csi_values_source: >-
+      configmap {{ vault_ss_csi_clustergroup_configmap_namespace }}/{{ _ss_csi_cg_cm_name }} key={{ _ss_csi_cm_yaml_key }}
+  when:
+    - _vault_ss_csi_cm_values_candidate is defined
+    - _vault_ss_csi_cm_values_candidate is mapping
+    - _vault_ss_csi_cm_values_candidate.clusterGroup is defined
+    - _ss_csi_cm_yaml_key is defined
+    - _ss_csi_cm_yaml_key | string | length > 0
+
+- name: Resolve path to clustergroup values file for SS CSI (fallback)
+  ansible.builtin.set_fact:
+    _vault_ss_csi_values_path: "{{ vault_ss_csi_cluster_values_file | default('', true) | trim }}"
+
+- name: Default clustergroup values path from pattern_dir (SS CSI fallback)
+  ansible.builtin.set_fact:
+    _vault_ss_csi_values_path: "{{ pattern_dir }}/values-{{ main_clustergroupname }}.yaml"
+  when:
+    - (_vault_ss_csi_values_path | default('', true) | length) == 0
+    - pattern_dir is defined
+    - pattern_dir | length > 0
+    - main_clustergroupname is defined
+    - main_clustergroupname | string | trim | length > 0
+
+- name: Stat clustergroup values file for SS CSI (fallback)
+  ansible.builtin.stat:
+    path: "{{ _vault_ss_csi_values_path }}"
+  register: _vault_ss_csi_values_stat
+  when:
+    - vault_ss_csi_fallback_local_clustergroup_file | default(true) | bool
+    - _vault_ss_csi_values_root is not defined
+    - _vault_ss_csi_values_path is defined
+    - _vault_ss_csi_values_path | length > 0
+
+- name: Load clustergroup values YAML from local file (SS CSI fallback)
+  ansible.builtin.slurp:
+    src: "{{ _vault_ss_csi_values_path }}"
+  register: _vault_ss_csi_values_slurp
+  when:
+    - vault_ss_csi_fallback_local_clustergroup_file | default(true) | bool
+    - _vault_ss_csi_values_root is not defined
+    - _vault_ss_csi_values_stat is defined
+    - _vault_ss_csi_values_stat.stat.exists | default(false)
+
+- name: Decode clustergroup values root from local file (SS CSI fallback)
+  ansible.builtin.set_fact:
+    _vault_ss_csi_values_root: "{{ (_vault_ss_csi_values_slurp.content | b64decode | from_yaml) }}"
+    _vault_ss_csi_values_source: "file {{ _vault_ss_csi_values_path }}"
+  when:
+    - vault_ss_csi_fallback_local_clustergroup_file | default(true) | bool
+    - _vault_ss_csi_values_slurp is defined
+    - _vault_ss_csi_values_slurp.content is defined